For immediate assistance with a network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com  

Most often, we think of adversaries using custom crafted malware to infect organizations, establish backdoors, and wreak havoc within networks. However, not every cyberattack uses malware. Sometimes, adversaries find it easier to repurpose legitimate software typically used for IT system administration. The IronTeam observed adversaries deploying Qilin ransomware to use Total Software Deployment (“TSD”) suite to deploy their ransomware as well as manual execution through Remote Desktop Protocol (“RDP”). 

• Adversaries introduced TSD into the environment. IronGate confirmed this action through both forensic analysis and interviews with their clients. 
• The use of TSD is not a new technique. The use of this specific software suite was previously observed by the adversaries deploying Conti ransomware. 
• TSD is legitimately used by IT teams. It is used to manage endpoints by installing or uninstalling software, maintaining updates, and scanning the network to inventory connected assets. 
• Actions performed through this legitimate software could evade anti-virus and EDR tools. 

Notable Observations:

• In 99% of investigations involving Qilin ransomware, the adversaries were successful with exfiltrating data from the environment undetected. 
• In 50% of investigations, the suspected patient0 were unpatched firewalls. Common firewalls in use at the time of the attack include Sonicwall and Fortigate. 
• In one specific matter, forensic analysis identified a Windows Server 2012 R2 as the computer system with the earliest unauthorized activity. While SentinelOne (“S1”) was installed, the adversary was able to kill the process and uninstall the S1 sensor repurposing that server as their staging server. 
• The adversary was also observed to leverage both file level encryption targeting files contained within the operating system as well as targeting hypervisor hosts to encrypt the virtual machine (“VM”) disks. 
  

Mitigation Recommendations: 

• Ensure patch management programs are properly implemented and timely patched. Organizations should monitor threat intelligence feeds for zero-day vulnerabilities applicable to their specific devices and operating systems. 
• End-of-Life (“EOL”) devices and operating systems should be upgraded immediately. Windows Server 2012 R2 reached EOL in October 2023.  
• Hypervisor hosts should be segmented off and inaccessible from the production network; administered by a separate, unique set of credentials. 
• Backup VMs into a separate network managed with separate untrusted credentials. 
• Centrally aggregate and store logs from critical devices and systems; retain at least 3 months of logs. 
• Implement a 24 x 7 Security Operations Center (“SOC”) to monitor and respond to alerts from security tools including SIEM, EDR software, and network devices.
  

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.